Data processing posture (Draft baseline)
This page outlines the current GDPR role-model baseline and DPA structure used for procurement discussions. Final role allocation is always defined in contract artifacts.
Document status: Draft for legal/privacy reviewLast updated: 2026-02-17Owner: Legal + Privacy
This summary is publication-safe orientation content and not a full DPA agreement.
GDPR role model by deployment mode
| Deployment mode | Role posture | Notes |
|---|---|---|
| SmartClover managed SaaS | Mixed controller/processor model by processing purpose | Role allocation must be explicitly documented contractually per data flow. |
| Customer-managed private deployment | SmartClover acts as processor/support provider for defined instructions | Customer typically remains primary controller for core processing activities. |
| Hybrid or on-edge deployment | Mixed model with annex-level role allocation | No implicit role assumptions; each flow requires explicit assignment. |
DPA structure baseline
- Role allocation matrix by deployment mode and processing purpose.
- Documented instruction handling and confidentiality obligations.
- Subprocessor transparency with notification process.
- Security baseline covering access, encryption, and audit traceability.
- Breach notification and cooperation commitments.